Are you using the Apache module in Filebeat?
If you are using modules, the parse is done in Elasticsearch and you should not parse your message with this filter:
if [event][module] == "apache" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
}
This could change the message that will arrive at elasticsearch and the ingest pipeline may not work as expected.